疑似Group123(APT37)针对中韩外贸人士的攻击活动分析
2019-10-28 • Qihoo360 • Analysis of attacks by suspected Group123 (APT37) targeting foreign trade professionals in China and South Korea •
Tencent Yujian reports a suspected Group123/APT37 phishing campaign observed from late August to mid-September 2019 against people likely connected to China-South Korea trade. The attack used RAR archive lures with Korean-themed filenames and executables disguised as Word documents, then downloaded a disguised JPG from artmuseums.or.kr that decrypted into a RAT installed as svchost.exe. The RAT collected host information and document lists, including Korean HWP files, while an additional module read C2 data from aconfig.ini and dropped a WinRAR command-line component. Tencent assesses the activity as likely Group123 based on the target profile, Korean-language artifacts, Korea-related compromised C2 infrastructure, and similarities to previously reported ScarCruft/Group123 tradecraft, while noting some overlap with Darkhotel-style behavior.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | ce4614fcf12ef25bcfc47cf68e3d008d | 2019-10-28 | 2019-10-28 |
| HASH | e26c81c569f6407404a726d48aa4d886 | 2019-10-28 | 2019-10-28 |
| HASH | 51da0042fe2466747e6e6bc7ff6012b2 | 2019-10-28 | 2019-10-28 |
| HASH | 3cc51847c2b7b20138ad041300d7d722 | 2019-10-28 | 2019-10-28 |
| HASH | 94fd9ed97f1bc418a528380b1d0a59c3 | 2019-10-28 | 2019-10-28 |
| HASH | 6f29df571ac82cfc99912fdcca3c7b4c | 2019-10-28 | 2019-10-28 |
| HASH | b23a707a8e34d86d5c4902760990e6b1 | 2019-10-28 | 2019-10-28 |
| URL | http://casaabadia.es/ | 2019-10-28 | 2019-10-28 |
| URL | http://artmuseums.or.kr/swfuplo… | 2019-10-28 | 2019-10-28 |
| URL | http://fjtlephare.fr/wp-content… | 2019-10-28 | 2019-10-28 |
| DOMAIN | artmuseums.or.kr | 2019-10-28 | 2019-10-28 |
| DOMAIN | fjtlephare.fr | 2019-10-28 | 2019-10-28 |
| DOMAIN | casaabadia.es | 2019-10-28 | 2019-10-28 |
